cyber security in the shipping industry - capital...
TRANSCRIPT
Cyber Security in the shipping industry
Capital Link Cyprus Shipping Forum
“We are vulnerable in the military and in our governments, but I think we're most vulnerable to cyber attacks commercially. This challenge is going to significantly increase. It's not going to go away.”
Michael Mullen - US Navy Admiral
Chairman of the Joint Chiefs of Staff
Current cyber threat landscape in the maritime industryMaritime is not an exception
Transforming the shipping industry
• Computerized systems will transform the shipping industry• Smart – autonomous or even automated ships
Entering the digitization era
Rolls Royce already entered the game with the Autonomous Waterborne Applications Initiative (AAWA)
2025Remote controlled unmanned coastal vessel
2035Autonomous unmanned ocean-going ship
2020Reduced crew with remote support and operation of certain functions
2030Remote controlled unmanned ocean-going ship
Autonomous Ship Technology Symposium 2016 - Amsterdam
Vessel Digitization
Vessels interconnection means more exposure to the world wide web
Vessels Security Challenges
Vessels Security Challenges
Data at Rest Data in Transit Intelligence Crew Turnover
Electronic Chart Display & Information System (ECDIS)
ECDIS Systems
• Geographic information systems
• International Maritime Organization compliant
• Alternative / compliant to paper nautical charts
• Can be interfaced with NavText and AIS
• July 2018 – Mandatory for all vessels in international voyages.
Attacking ECDIS Systems
• ECDIS systems are in essence desktop PCs
• With physical access a malicious person could use the USB slot to load incorrect/outdated maps, access the underlying
operating system or spread malware/ransomware.
Attacking ECDIS Systems
• As with any other PC, ECDIS systems can be tampered with• A number of these systems run with administrative rights and no password protection.
Automatic Identification System (AIS)
AIS Systems
• Automatic tracking system for identifying and locating vessels
• 2002 – First mandate for vessels over 300GT to be equipped with a Class A type AIS transceiver.
• AIS information supplements marine radar, which continues to be the primary method of collision avoidance for water
transport.
• Aid in accident investigation and in search and rescue operations.
• The information is also sent to providers such as Maritimetraffic.com, Vesselfinder.com or Aishub.net.
• Transmit in the Marine bands - Channel A 161.975 MHz (87B) & Channel B 162.025 MHz (88B)
AIS Systems Messages
AIS can send up to 27 types of messages
• Message 18 is sent between anywhere 30 seconds and 3 minutes to report the vessels position.
• Message 14 is a safety related broadcast used in emergencies.
AIS Systems Risks
• AIS communications do not employ authentication or integrity checks.
• Communication is made over RF
• Anyone with a cheap RF receiver can also “listen” to these messages. (Range dependent)
http://www.imo.org/en/ourwork/safety/navigation/pages/ais.aspx
AIS Attacks Landscape
Man-in-the-water
Because of maritime laws and best practices, everyone needs to address this type of an alert.
Arbitrary weather forecast
Hackers impersonate actual issuers of weather forecast such as the port authority and arbitrarily change the weather forecast delivered to ships.
Fake CPA
Hackers create a fake CPA (closest point of approach) alert.
AIS Spoofing
Hackers can send specially crafted messages that could mimic the location of an existing vessel, or even create a fake vessel and place it on its own virtual course.
Replay Attacks
Hackers capture and store AIS data and replay spoofed messages in specific timeframes
Ship Hijacking
Hackers download the data of an existing ship, changing some of the parameters and submitting it to the AIS service.
AIS Systems Attacks
A Security Evaluation of AIS Automated Identification SystemsMarco Balduzzi, Alessandro Pasta, Kyle Wilhoit
Even via RF the hackers have 4 attack vectors
• AIS Gateway• Vessel Traffic Service• Vessels• Offshore
An exaggerated example?
1. 300 ton ships should not drive down the main street of a city
Deloitte’s Threat Analytics
An exaggerated example?
AIS Systems Verified Attacks
• Modification of all ship details such as position, course, cargo, flagged country, speed, name & MMSI
• Creation of fake vessels e.g. having an vessel with nuclear cargo show up off the coast of the US
• Create and modify Aid to Navigations (AToN) entries, such as buoys and lighthouses.
• Research has been published in 2013 but since then there was not an improvement on the protocol
• ITU Radiocommunication Sector (ITU-R); the developers of the AIS standard and the protocol specification have
acknowledged the problem
It’s not all bad…
Reliance on crew
• Sufficient and continuous training on Cyber Security
• Development of a Cyber Security Policy
Reliance on manual controls
• Crew
• Paper Charts
• Radar
Vessels must be treated as any other network
• Security Audits
• Penetration Testing
• Physical Security Assessments
Incident Response
• Development of Contingency Plans
• Stress Tests
Secure.Vigilant.Resilient
Being
SECURE
means having risk-prioritized controls to defend critical assets against known and emerging threats.
Being
VIGILANT
means having threat intelligence and
situational awareness to anticipate and identify harmful
behavior.
Being
RESILIENT
means being prepared and having the ability to recover from cyber incidents and minimize
their impact.
To be effective and well balanced, a cyber program must have three key characteristics: secure, vigilant,
and resilient.
Cyber Program
Maritime Industry is based on IT solutions with global interfaces to improve efficiency and international networking. Technical dimensions of shipping and of ships themselves are not depending on technology only for communication purposes. The progress of information technologies will definitely proceed and as a logical consequence, turn into complex risk-scenarios which currently seem to be difficult to be solved.
Four takeaway questions to reflect on through the lens of a secure, vigilant, and resilient approach to cybersecurity:
Balance people, processes and technology. Information security is not just about computer security. Computer security can carry the wrong assumption that as long as the infrastructure and systems are secure, the organization is also secure. You have to invest in all core elements of information security: physical, human and cyber.
Act as you have already been hacked. Breaches occur at all organizations – not because they are badly managed, but because hackers and cyber-criminals are getting smarter every day. Although it isn’t possible for any organization to be 100 percent secure, it is entirely possible to use a mix of processes for prevention, detection and response to keep cyber-risk below a level set by the board and enable an organization to operate with less.
The ‘forgotten link’ in
security.
Both beautiful
and dangerous.
Designed to keep people
out.
2
Are we focused on the right things?Often asked, but difficult to accomplish. Understand how value is created in your organization, where your critical assets are, how they are vulnerable to key threats. Practice defense-in-depth.
1Are we proactive or reactive?Retrofitting for security is very expensive. Build it upfront in your management processes, applications, and infrastructure.
3
4Do we have the right talent?Quality over quantity. There may not be enough talent to do everything in-house, so take a strategic approach to sourcing decisions. Are the security teams focused on the real business areas.
Are we adapting to change?Policy reviews, assessments, and rehearsals of crisis response processes should be regularized to establish a culture of perpetual adaptation to the threat and risk landscape.
Key Messages
Cyber risk is not an uncontrollable phenomenon
Contact usNicosia 24 Spyrou Kyprianou Avenue CY-1075 Nicosia, Cyprus P.O.Box 21675 CY-1512 Nicosia, Cyprus
Tel.: +357 22360300 Fax: +357 22360400 E-mail: [email protected]
LarnacaPatroclos Tower, 4th floor41-43 Spyrou Kyprianou AvenueCY-6051 Larnaca, CyprusP.O.Box 40772CY-6307 Larnaca, Cyprus
Tel.: +357 24819494Fax: +357 24661222E-mail: [email protected]
LimassolMaximos Plaza, Τower 1, 3rd floor213 Arch. Makariou III AvenueCY-3030 Limassol, CyprusP.O.Box 58466CY-3734 Limassol, Cyprus
Tel.: +357 25868686Fax: +357 25868600E-mail: [email protected]
